The curious case of 1.0.0.0/24, 1.1.1.0/24 and 1.2.3.0/24

Today I found 1.0.0.0/24, 1.1.1.0/24 and 1.2.3.0/24 in my routing table being originated from AS15169, ie Google. Somewhat surprised by this I decided to dig a little further into the topic.

Having read RIPEs report (https://labs.ripe.net/Members/franz/content-pollution-18) on the topic, my first reaction was that Google would be using their massive network footprint and dense peering to try to attract as much traffic as possible to these destinations in an attempt to harvest data. We all know that Google like harvesting data, like they do with their open DNS resolvers, and so this would be another attempt in line with that. I tried googling but couldn't find any references to AS15169 being a legitimate originator of these prefixes.

Further digging led me to Geoff Huston, the chief scientist at APNIC. He is apparently conducting a research proect on dark traffic analysis where he is collaborating, among others, with Google and it is under these terms that Google is authorised to announce the mentioned prefixes. As far as public information, this potaroo page is as good as it gets. Google is mentioned in the acknowledgement section but there is no mention of originating prefixes. I would sleep better if there was a bit more information on what actually goes on in these experiments, that Google is indeed authorised to originate these prefixes and last but certainly not least, that Google is not harvesting this data just like they are from their open DNS resolvers.

I'll swap my tin foil hat for the shame hat (I did accept these prefixes from Google) now and go implement some sanity filtering instead.